The enrichment of incidents is critical in reducing the effort involved in incident management. IP addresses, domains or file (hashes) are automatically checked against known malicious activity, Geo IP information is added, and incident entities are cross-referenced against threat intelligence data. Furthermore, whitelists are taken into consideration, and other information such as whether a specific entity is a High Value Asset or whether a user has set an out-of-office notification in Outlook is gathered. The result is a calculated risk score for each incident (which is the basis for automated triage) and a summary providing the user with a notification about the incident. All the questions that an SOC Analyst would ask are answered, improving the efficiency of the investigation.

The Essential plan includes:

• AAD Risk Score
• File Insights
• Defender for Cloud Apps Investigations
• Defender for Endpoint Insights
• Out-of-Office Details
• Threat Intelligence
• UEBA Insights
• Watchlist Insights
• Related Alerts and Incidents

The Enhanced and Enterprise plan include:

• External Threat Intelligence
• Adding Incident Tasks
• Logs Insights
• User Roles and Permissions
• Enrichment including 3rd party log sources

Once the enrichment has taken place and a risk score has been calculated, automated triage and (if necessary) notification are performed.